WebKit Bugzilla
Attachment 349070 Details for
Bug 189198
: [Curl][WebKitLegacy] Stop sending credential embedded in the url via XHR.
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
PATCH
189198.diff (text/plain), 6.52 KB, created by
Basuke Suzuki
on 2018-09-06 14:18:53 PDT
(
hide
)
Description:
PATCH
Filename:
MIME Type:
Creator:
Basuke Suzuki
Created:
2018-09-06 14:18:53 PDT
Size:
6.52 KB
patch
obsolete
>diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog >index 9972e44066a..0e6f192de5d 100644 >--- a/LayoutTests/ChangeLog >+++ b/LayoutTests/ChangeLog >@@ -1,3 +1,15 @@ >+2018-09-06 Basuke Suzuki <Basuke.Suzuki@sony.com> >+ >+ [Curl][WebKitLegacy] Stop sending credential embedded in the url via XHR. >+ https://bugs.webkit.org/show_bug.cgi?id=189198 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ * http/tests/xmlhttprequest/resources/url-with-credentials/authenticate.php: Added. >+ * http/tests/xmlhttprequest/resources/url-with-credentials/authorize.php: Added. >+ * http/tests/xmlhttprequest/url-with-credentials-expected.txt: Added. >+ * http/tests/xmlhttprequest/url-with-credentials.html: Added. >+ > 2018-08-31 Chris Dumez <cdumez@apple.com> > > [ WK2 ] http/tests/workers/service/client-*-page-cache.html LayoutTests are flaky >diff --git a/LayoutTests/http/tests/xmlhttprequest/resources/url-with-credentials/authenticate.php b/LayoutTests/http/tests/xmlhttprequest/resources/url-with-credentials/authenticate.php >new file mode 100644 >index 00000000000..ef132a541d7 >--- /dev/null >+++ b/LayoutTests/http/tests/xmlhttprequest/resources/url-with-credentials/authenticate.php >@@ -0,0 +1,4 @@ >+<?php >+ >+header('Content-Type: text/plain'); >+echo 'User: ' . $_SERVER['PHP_AUTH_USER'], ' Password: ' . $_SERVER['PHP_AUTH_PW']; >diff --git a/LayoutTests/http/tests/xmlhttprequest/resources/url-with-credentials/authorize.php b/LayoutTests/http/tests/xmlhttprequest/resources/url-with-credentials/authorize.php >new file mode 100644 >index 00000000000..b56bd727855 >--- /dev/null >+++ b/LayoutTests/http/tests/xmlhttprequest/resources/url-with-credentials/authorize.php >@@ -0,0 +1,8 @@ >+<?php >+ >+if (!isset($_SERVER['PHP_AUTH_USER'])) { >+ header('HTTP/1.0 401 Unauthorized'); >+ header('WWW-Authenticate: Basic realm="WebKit Test Area"'); >+} else { >+ include "authenticate.php"; >+} >diff --git a/LayoutTests/http/tests/xmlhttprequest/url-with-credentials-expected.txt b/LayoutTests/http/tests/xmlhttprequest/url-with-credentials-expected.txt >new file mode 100644 >index 00000000000..eb9d4ad6096 >--- /dev/null >+++ b/LayoutTests/http/tests/xmlhttprequest/url-with-credentials-expected.txt >@@ -0,0 +1,11 @@ >+If the request contains credentials in its url, it should be stripped from it. Also first attempt shouldn't contain basic auth header. >+ >+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE". >+ >+ >+PASS xhr.responseText is "User: Password: " >+PASS xhr.responseText is "User: foo Password: bar" >+PASS successfullyParsed is true >+ >+TEST COMPLETE >+ >diff --git a/LayoutTests/http/tests/xmlhttprequest/url-with-credentials.html b/LayoutTests/http/tests/xmlhttprequest/url-with-credentials.html >new file mode 100644 >index 00000000000..93312ca3c27 >--- /dev/null >+++ b/LayoutTests/http/tests/xmlhttprequest/url-with-credentials.html >@@ -0,0 +1,40 @@ >+<head> >+ <script src="/js-test-resources/js-test-pre.js"></script> >+ <script> >+ description(`If the request contains credentials in its url, they should be stripped from it. >+ Also first attempt shouldn't contain basic auth header.`); >+ window.jsTestIsAsync = true; >+ >+ const xhr = new XMLHttpRequest(); >+ >+ function doTest(url, action) { >+ xhr.open('GET', url); >+ xhr.onload = xhr.onerror = action; >+ xhr.send(null); >+ } >+ >+ doTest( >+ /* First trial must be access without credentials. */ >+ 'http://foo:bar@127.0.0.1:8000/xmlhttprequest/resources/url-with-credentials/authenticate.php', >+ () => { >+ shouldBeEqualToString("xhr.responseText", "User: Password: "); >+ doTest( >+ /* Send auth info after getting authorization header. */ >+ 'http://foo:bar@127.0.0.1:8000/xmlhttprequest/resources/url-with-credentials/authorize.php', >+ () => { >+ shouldBeEqualToString("xhr.responseText", "User: foo Password: bar"); >+ finishJSTest(); >+ } >+ ); >+ } >+ ); >+ </script> >+ <script src="/js-test-resources/js-test-post.js"></script> >+</head> >+ >+<body> >+ <div id="description"></div> >+ <div id="console"></div> >+</body> >+ >+</html> >\ No newline at end of file >diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog >index 74c70b57cbc..8b21740e05c 100644 >--- a/Source/WebCore/ChangeLog >+++ b/Source/WebCore/ChangeLog >@@ -1,3 +1,19 @@ >+2018-09-06 Basuke Suzuki <Basuke.Suzuki@sony.com> >+ >+ [Curl][WebKitLegacy] Stop sending credential embedded in the url via XHR. >+ https://bugs.webkit.org/show_bug.cgi?id=189198 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ Because sync XHR of Curl port uses passed request directly, the credential information in >+ url is not removed. Use ResourceHandleInternal's firstRequest because those are >+ already takne out. >+ >+ Test: http/tests/xmlhttprequest/url-with-credentials.html >+ >+ * platform/network/curl/ResourceHandleCurl.cpp: >+ (WebCore::ResourceHandle::platformLoadResourceSynchronously): >+ > 2018-08-31 Chris Dumez <cdumez@apple.com> > > [ WK2 ] http/tests/workers/service/client-*-page-cache.html LayoutTests are flaky >diff --git a/Source/WebCore/platform/network/curl/ResourceHandleCurl.cpp b/Source/WebCore/platform/network/curl/ResourceHandleCurl.cpp >index 55aa9b709ba..c42adc378a6 100644 >--- a/Source/WebCore/platform/network/curl/ResourceHandleCurl.cpp >+++ b/Source/WebCore/platform/network/curl/ResourceHandleCurl.cpp >@@ -382,7 +382,6 @@ void ResourceHandle::platformLoadResourceSynchronously(NetworkingContext* contex > { > ASSERT(isMainThread()); > >- auto localRequest = request; > SynchronousLoaderClient client; > bool defersLoading = false; > bool shouldContentSniff = true; >@@ -390,12 +389,13 @@ void ResourceHandle::platformLoadResourceSynchronously(NetworkingContext* contex > RefPtr<ResourceHandle> handle = adoptRef(new ResourceHandle(context, request, &client, defersLoading, shouldContentSniff, shouldContentEncodingSniff)); > handle->d->m_messageQueue = &client.messageQueue(); > >- if (localRequest.url().protocolIsData()) { >+ if (request.url().protocolIsData()) { > handle->handleDataURL(); > return; > } > >- handle->d->m_curlRequest = handle->createCurlRequest(WTFMove(localRequest)); >+ auto requestCopy = handle->firstRequest(); >+ handle->d->m_curlRequest = handle->createCurlRequest(WTFMove(requestCopy)); > handle->d->m_curlRequest->start(); > > do {
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=349070">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Flags:
ews-watchlist
:
commit-queue-
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 189198
:
348675
|
348834
|
349070
|
349083
|
349087
|
349195
|
349201